In my earlier four articles, we understood about, deployment of initial security resource, understanding the standard and its mandatory controls, defining scope/ out of scope items, security ownerships visions, objectives and some perspectives about security policy. Let us now understand, how one should collect security requirement for a customer.
Security policy document generally comprises of mandatory controls given in standards and the policy statements of security controls which are selected for the project. To know the later part, we need to know security requirements of the customer and also security requirements at the time will help you to identify critical information/ data to be protected. Multiple sources of identifying same are as follows: