1: Identifying and assessing information risks
2: Introducing and developing a risk management system
3: Identifying the information requiring protection
4: Developing protective measures
5: Establishing an awareness of the importance of security in the company
6: Continual improvement of measures (PDCA cycle)