Security Governance / Operations Review
This phase will leverage information gathered initially to perform a detailed assessment against industry best practices, taking into account your considerations.

At a high-level, the security operations review consists of:
a. Review of documented policies and procedures:

• Security policies
• Security standards
• Operational security procedures
• Organizational charts
• Network architectural diagrams
• Asset inventories
• Risk registers
• Other relevant documentation

b. Analyze information gathered via interviews, including practices related to:

• Vulnerability Management
• Technology Supply Chain
• HR/Personnel Security
• Privileged access management
• Change Management
• Security Monitoring
• Incident response

c. Assess the current implementation of controls across all control categories of listed here:

• Asset Management
• Security Governance
• Awareness and Training
• Protective Technology
• Access Control
• Security Monitoring
• Response Planning

d. Using standard capability maturity model, assign existing security practices a maturity level ranging from 0 (Non-existing) to 5 (Optimized).