Step 3: CHECK: Follow up

After you have carried out the planned activities, you must follow up on whether you have achieved your information security goals. You must evaluate the success of your efforts from the planning and implementation phases.

This type of follow-up is also known as an ‘internal audit’. It’s important that management take direct responsibility for the audit. Management should review and evaluate the following:

• What are the results of your evaluation?
• Have the measures taken to improve information security worked as intended?
• Are the processes around risk management adequate?
• Have there been any incidents that have compromised the unit’s information security? And how do we avoid them in future?
• Have their been any changes in internal or external conditions with the potential to impact your information security?

If your security measures has involved an IT system you can let white hat hackers test if it works.

Documentation is important in this phase as well.

There are a few formal requirements that apply to documentation of follow-up. For example, documents must be written and updated in accordance with a structured process.
This means that it is necessary to:

• Adopt a file naming convention.
• Decide on document meta data like date and version of documentation.
• Decide on acceptable file formats.
• There must also be a process for reviewing and approving the documentation.
• There must be an audit trail for changes to the documentation.