00:00:10:12 - 00:00:12:16
You'll be ready to develop your plan once

00:00:12:16 - 00:00:13:31
you have completed

00:00:13:31 - 00:00:15:37
your self-assessment workbook,

00:00:15:37 - 00:00:18:17
shared this with your independent assurer,

00:00:18:17 - 00:00:20:45
and received back your assurance report,

00:00:20:45 - 00:00:23:31
which will include a draft plan

00:00:23:31 - 00:00:26:31
in the fourth tab of the report.

00:00:26:49 - 00:00:28:59
And this will include the assurer’s

00:00:28:59 - 00:00:30:23
recommendations.

00:00:30:23 - 00:00:31:22
So let's have a look

00:00:31:22 - 00:00:32:16
at what

00:00:32:16 - 00:00:33:37
that plan will look like

00:00:33:37 - 00:00:35:31
when you first open it.

00:00:35:31 - 00:00:38:11
So here you see an example.

00:00:38:11 - 00:00:41:11
And if we zoom in...

00:00:41:52 - 00:00:44:13
So the assurer will break down

00:00:44:13 - 00:00:47:13
their recommendations by objective,

00:00:48:34 - 00:00:51:02
principle,

00:00:51:02 - 00:00:53:38
and recommendation theme.

00:00:55:20 - 00:00:58:20
and a contributing outcome

00:00:58:21 - 00:01:01:03
that the recommendation applies to.

00:01:01:03 - 00:01:04:03
So the first step is to review

00:01:04:03 - 00:01:07:19
all of the assurer’s recommendations.

00:01:07:19 - 00:01:09:55
So for example,

00:01:09:55 - 00:01:12:16
for board direction

00:01:12:16 - 00:01:13:28
in this example

00:01:13:28 - 00:01:14:27
in order for the council

00:01:14:27 - 00:01:16:37
to meet this contributing outcome,

00:01:16:37 - 00:01:19:35
the assurer has recommended forming

00:01:19:35 - 00:01:22:19
an Information Security working group

00:01:22:19 - 00:01:23:45
and that the topic of network

00:01:23:45 - 00:01:24:59
and information systems security

00:01:24:59 - 00:01:26:31
is regularly discussed

00:01:26:31 - 00:01:29:00
at board level.

00:01:29:00 - 00:01:32:24
They've considered it a medium risk level,

00:01:32:24 - 00:01:34:24
and the assurer has explained

00:01:34:24 - 00:01:35:17
how this improvement

00:01:35:17 - 00:01:37:10
will address the current risk,

00:01:37:10 - 00:01:38:33
that cyber security topics

00:01:38:33 - 00:01:40:22
are not being discussed or understood

00:01:40:22 - 00:01:41:29
at board level

00:01:41:29 - 00:01:44:04
can lead to insufficient risk management,

00:01:44:04 - 00:01:45:56
lack of executive awareness,

00:01:45:56 - 00:01:47:56
and reputational damage.

00:01:47:56 - 00:01:49:05
And they've indicated

00:01:49:05 - 00:01:49:48
that the control

00:01:49:48 - 00:01:52:48
type would be people and process.

00:01:53:33 - 00:01:57:20
So as I said, step one is to review

00:01:57:20 - 00:01:59:24
all of these recommendations

00:01:59:24 - 00:02:02:24
and then collaborate with your colleagues

00:02:02:24 - 00:02:06:51
to complete the second step of the plan,

00:02:06:51 - 00:02:09:54
which is where you will consider

00:02:09:54 - 00:02:13:33
how to address what's been identified

00:02:13:33 - 00:02:15:36
by the assurer

00:02:15:36 - 00:02:16:12
and what steps

00:02:16:12 - 00:02:17:40
you can put in place to improve

00:02:17:40 - 00:02:19:59
your council's cyber resilience.

00:02:19:59 - 00:02:23:44
So let's look at this example,

00:02:23:44 - 00:02:25:14
to meet the board direction

00:02:25:14 - 00:02:26:56
contributing outcome.

00:02:26:56 - 00:02:28:12
The council has identified

00:02:28:12 - 00:02:31:35
that their Senior Leadership Team (SLT),

00:02:31:35 - 00:02:34:35
Senior Information Risk Owner (SIRO),

00:02:34:35 - 00:02:36:07
and the IT and

00:02:36:07 - 00:02:37:59
cyber team should own the risk.

00:02:37:59 - 00:02:39:00
They've estimated

00:02:39:00 - 00:02:41:51
it will take five days of effort.

00:02:41:51 - 00:02:44:51
That it is low effort and medium complexity,

00:02:45:41 - 00:02:47:22
and that they prioritise

00:02:47:22 - 00:02:50:29
this recommendation due to the risk level

00:02:50:29 - 00:02:52:48
and the relatively low cost

00:02:52:48 - 00:02:55:14
and effort required to implement this.

00:02:55:14 - 00:02:56:20
They've also indicated

00:02:56:20 - 00:02:58:30
that it is high priority

00:02:58:30 - 00:03:00:12
and that work will start on this

00:03:00:12 - 00:03:01:50
in the first quarter.

00:03:01:50 - 00:03:04:50
They could choose different quarters

00:03:04:50 - 00:03:07:59
or even that work would start next year.

00:03:09:54 - 00:03:12:47
So once you have

00:03:12:47 - 00:03:14:04
completed the plan for

00:03:14:04 - 00:03:17:19
all the recommendations.

00:03:17:19 - 00:03:20:58
The next steps are to

00:03:20:58 - 00:03:22:09
share your plan

00:03:22:09 - 00:03:25:46
with your independent assurer for feedback,

00:03:25:46 - 00:03:27:41
they’ll arrange a session with you

00:03:27:41 - 00:03:29:24
to discuss your plan,

00:03:29:24 - 00:03:30:21
and then you can go on

00:03:30:21 - 00:03:32:44
to make any final changes.

00:03:32:44 - 00:03:35:27
And then you can go on to share your plan

00:03:35:27 - 00:03:38:27
with your internal quality assurer.

00:03:38:27 - 00:03:40:53
And hopefully at that point,

00:03:40:53 - 00:03:43:44
you have everything you need to create

00:03:43:44 - 00:03:46:44
your executive presentation.

00:03:48:11 - 00:03:49:59
And you can find guidance

00:03:49:59 - 00:03:51:12
and templates

00:03:51:12 - 00:03:54:12
on how to do this on our website.

00:03:54:12 - 00:03:57:07
And this also includes examples

00:03:57:07 - 00:03:58:26
and templates

00:03:58:26 - 00:04:00:15
on how to complete your plan.