# Security Strategy and Roadmap One-sentence definition: Multi-year plan aligning security initiatives to business goals and risk priorities with measurable outcomes. ## Key Facts - Inputs: risk register, metrics, audit findings, business strategy. - Prioritize by risk reduction, regulatory deadlines, dependencies. - Define initiatives, owners, timelines, budgets, KPIs/KRIs. - Communicate to governance; review quarterly. - Link to architectures, staffing, and capability maturity. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Select initiatives aligned to stated business/risk drivers. **Mnemonic:** “**Why → What → When → Who → How much**.” ## Mini Scenario Q: Highest risk = phishing; roadmap item? A: MFA expansion, email security, awareness program, simulated phishing metrics. ## Revision Checklist - Name 4 roadmap inputs. - Provide 2 prioritization criteria. - Tie one KPI/KRI to a roadmap item. ## Related [[Security Metrics, KPIs, KRIs]] · [[Risk Register and Reporting]] · [[COBIT Governance]] · [[ISO 31000 Risk Management Principles]] · [[Security Governance]] · [[Domain 1 - Index]]