An organization`s information security processes are currently defined as ad hoc. In seeking to improve their performance level, the next step for the organization should be to: 

Answer options:

A. ensure that security processes are consistent across the organization.
B. enforce baseline security levels across the organization.
C. ensure that security processes are fully documented.
D. implement monitoring of key performance indicators for security processes.

A

The organization first needs to move from ad hoc to repeatable processes. The organization then needs to document the processes and implement process monitoring and measurement. Baselining security levels will not necessarily assist in process improvement since baselining focuses primarily on control improvement. The organization needs to standardize processes both before documentation, and before monitoring and measurement.