Four tips for successful IT Security cost and monitoring progress

1. After completion of a draft statement of applicability (SoA). Any costs incurred prior to this should be minimal, but until the SoA defines what needs to be done, it will not be possible to budget effectively for the implementation.

2. After implementation of the initial suite of procedures that apply the identified controls.

3. After completion of the first cycle of system audits and reviews in accordance with control A.15.2 of the standard and prior to the initial visit by the certification body.

4. Annually, as part of the regular review of the ISMS, to ensure that the budget is being correctly applied and that any new technology issues, threats or vulnerabilities have been taken care of.