Define and maintain a framework of policies and procedures that guides and governs the behavior of the Security Management process and its activities.

Incorporate mandatory elements from the Management Ecosystem.

Define a set of metrics to be used by each process for measurement and reporting of performance.

Review process evaluations based on analysis of current performance, and approve recommendations for improvements. Refine the metrics to encourage process vitality and cost effectiveness.

Incorporate updated metrics and process change recommendations into the framework and communicate the changes.