An organization’s information security processes are currently defined as ad hoc. In seeking to
improve their performance level, the next step for the organization should be to:
ensure that security processes are consistent across the organization.
enforce baseline security levels across the organization.
ensure that security processes are fully documented.
implement monitoring of key performance indicators for security processes.
The organization first needs to move from ad hoc to repeatable processes. The organization then
needs to document the processes and implement process monitoring and measurement.
Baselining security levels will not necessarily assist in process improvement since baselining
focuses primarily on control improvement. The organization needs to standardize processes both
before documentation, and before monitoring and measurement.