The assessment will uncover the gaps that exist between what is in place, and what the framework is suggesting you need. The missing controls will not need to be implemented in every case. This will vary depending on budget, resource availability and their applicability to a business. A maturity rating will be applied in order to understand how well the existing controls have been implemented.

The remediation phase is where the organization will be presented with the entire cost for remediation efforts designed to follow the framework recommendations. This is the opportunity where the business decides – based on priority - how best to allocate budget and resources. Without this, it is impossible for the business to prioritize where scarce budgets and resources should be spent, and subsequently how long it will take to complete. This is also where the responsibility is transferred away from IT.

Once remediation efforts are under way, this is the point where the organization now starts to manage the implemented solutions, policies and procedures that will govern the security program. Depending again on budgets and resource availability, the business should decide if it is to be handled in-house or using a combination of outsourced and internal resources. Verification requires that all newly implemented controlsare tested and determined to be operational and are in fact providing the safeguards that were implemented.