Improvement (ID.IM)
We have put considerable effort into identifying IT resources and performing risk assessments around them. This effort must be placed into a program where continued efforts and improvements are made to ensure that we do not lose sight of identifying and classifying our resources. This next family of controls is meant to ensure that continual improvement occurs to streamline our processes better.
ID.IM-01
While we have discussed in detail how to perform cybersecurity assessments on our vendors and third parties, we should also perform evaluations on ourselves. These evaluations will highlight our deficiencies and build project plans for improvement. Never fear an assessment, as they are meant to help you improve. As discussed in Chapter 2, use the Deming cycle to identify areas of improvement and then execute those plans.
Once the assessment has been completed, identify the gaps in your program...
