The document outlines a 9 step process for creating an information security plan:
1. Perform a regulatory review and landscape analysis.
2. Specify governance, oversight, and responsibility structures.
3. Take an inventory of organizational assets.
4. Classify data based on sensitivity.
5. Evaluate available security safeguards.
6. Perform a cyber risk assessment.
7. Perform a third party risk assessment of vendors.
8. Create an incident response plan.
9. Provide ongoing training and testing of employees.