# Overall

Strategic Plan A strategic plan is a long-term plan that is fairly stable. It defines the organization’s security purpose. It defines the security function and aligns it to the goals, mission, and objectives of the organization. It’s useful for about five years, if it is maintained and updated annually. The strategic plan also serves as the planning horizon. Long-term goals and visions for the future are discussed in a strategic plan. A strategic plan should include a risk assessment.

# Strategic Plan Structure

Your final Security Strategic Plan should include:

1. Define the Security Purpose
2. Understand Business Context
3. Define Security Scope & Functions
4. Perform a High-Level Risk Assessment
5. Define Security Vision (5-Year Target State)
6. Set Strategic Security Objectives (3–6 Only)
7. Define Strategic Initiatives (How Objectives Are Achieved)
8. Create a 3–5 Year Roadmap
9. Define Metrics & Success Criteria
10. Governance & Review Model