Well it really depends on your priorities and your current situation. If your primary motivation is to reduce your exposure to risk as quickly and effectively as possible then you should assess your most critical assets and biggest threats and start by building and implementing policies and procedures to protect those critical assets. If your objective is to attain a specific compliance to keep or gain a customer then you should focus on implementing the required compliance.
How you go about doing either of these depends on your internal knowledge and expertise, the time your team has to build and implement and your budget. You can download the directives of all of the various standards and frameworks and use this as a guide; however, without an experienced information security professional on the project, this can take a lot more time and can be frustrating and confusing, distracting you and your team from core business activities.
If your company is of the size and scope that adding a full time Security Professional to the team is practical, then this is an excellent option to pursue. There are also several firms in the space that offer highly knowledgeable consultants that can provide a lot of guidance and direction to speed up the process and ensure that the resulting program is on point.
Sign up & Stay Informed!
Sign up for FREE to receive Cyber Security news and tips along with updates about our upcoming launch right to your inbox!