In the security planning process, the organization identifies which assets require protection and the types of risks that could compromise those assets. This critical function determines the level of appropriate countermeasure that is required based upon a formally documented process. Security plans are not strategic documents. They must be simple, easy to use and provide information in a format that staff can use in their daily work; otherwise, the document will not be read fully or utilized.

A security procedure is a set sequence of necessary activities that performs a specific security task or function. Procedures are normally designed as a series of steps to be followed as a consistent and repetitive approach or cycle to accomplish an end result. security policy refers to clear, comprehensive, and well-defined plans, rules, and practices that regulate access to an organization’s system and the information included in it. Good policy protects not only information and systems, but also individual employees and the organization as a whole.