The logical progression in information security program management follows a hierarchy from high-level strategic intent to detailed, actionable execution. After an information security strategy is defined, a roadmap is created to outline the major initiatives, milestones, and timelines required to achieve the strategic goals. The roadmap, however, is still a high-level document. The immediate next step is to translate these high-level initiatives into detailed, manageable units of work. This is accomplished by developing project plans, which specify the tasks, resources, schedules, and deliverables needed to implement each component of the roadmap, thereby operationalizing the strategy.

A. Obtaining consensus on the strategy from the executive board is a critical step that should occur before or during the finalization of the strategy, not after the implementation roadmap is created.

B. Reviewing alignment with business goals is a foundational activity performed during the development of the information security strategy itself to ensure its relevance and support for the organization.

C. Defining organizational risk tolerance is a fundamental input required to formulate the information security strategy; it dictates the level of risk the organization is willing to accept and shapes strategic goals.

1. ISACA

CISM Review Manual

16th Edition. Domain 1: Information Security Governance. The manual describes the process of strategy development and implementation. It clarifies that a strategy is translated into a roadmap

which is then executed through specific projects. The development of project plans is the logical step to operationalize the high-level initiatives outlined in the roadmap. (Specifically

the concepts in Task G2: "Develop a strategy to implement the information security program" and its supporting content imply this hierarchical breakdown from strategy to roadmap to project-level execution).

2. Calder

A.

& Watkins

S. (2019). IT Governance: An International Guide to Data Security and ISO 27001/ISO 27002 (7th ed.). Kogan Page. Chapter 6

"Information Security Management System (ISMS)

" discusses the Plan-Do-Check-Act (PDCA) cycle. Creating a strategy and roadmap falls within the "Plan" phase. Developing detailed project plans is the transition from high-level planning to the "Do" phase

where the plans are executed.

3. University of Washington

Information Technology Courseware

"IT Strategy

Plans & Roadmaps." This resource distinguishes between strategies (the 'why')

roadmaps (the 'what' and 'when' at a high level)

and project plans (the detailed 'how'). It establishes that project plans are derived from the strategic roadmap to guide execution. This aligns with the principle that detailed planning follows high-level strategic outlining.