Presentation of the IASAP Document to Top Management

Objective: To present the Information Assurance and Security Action Plan to Top Management for their approval, and so establishing a foundation for its deployment.


The completed IASAP document is then presented to top management. This presentation is planned in advance, during the presentation of the SEIS report, thus ensuring continuity in the execution of the project.


Approval of the IASAP document by top management is yet another milestone in their commitment to integrate information security in all its processes. It means approval to start the Information Security Action Plan, according to corresponding features, planning and estimation of human and economic resources.


At this point, top management has all the necessary information to properly evaluate the efforts required in the organization to achieve their objectives of reducing risk and improving security levels. They can assess the convenience of the tasks and time frames proposed in the IASAP document, and adjust or modify them as required according to additional considerations, in some cases only known by top level management (global business strategies, existing synergies, etc.).


As in the presentation of the SEIS report, it is necessary to take into account that the audience may not have technical knowledge on security. For that reason, the key messages need to be presented adequately, following the same recommendations of the section "Presentation of the SEIS report to Top Management".


The following is an example of a possible structure of the presentation, which can be used as reference:

  • Introduction: origins of the IASAP document and its process.
  • Justified description of short, medium and long terms, and rationale for the inclusion of tasks in these time frames.
  • Short Term: Detailed description of each task to be completed in this deadline, including deadlines for: deployment, resources (stating if they are internal and/or external), suppliers' quotes (where needed), tasks and economic assessment. (For example, tasks that should be executed in under six months).
  • Medium Term: Detailed description of each task to be executed as stated in the previous point. (6 to 12 months)
  • Long Term: Detailed description of each task to be executed as stated in the previous point. (more than 12 months )
  • Time planning proposal: Proposal with real dates for the fulfilment of objectives stated in the IASAP document (i.e. a Gantt chart).

In addition to improvements on security, the IASAP document can be used as a framework for a policy of compliance to objectives at different levels in the organization, from departmental to personal/role ones.