I. Identify the concept of capital planning and investment control and its relation to an information security system.
II. Establish key performance indicators or other metrics to identify gaps or problems within an information security system.
III. Recall the importance that a formal enterprise capital planning and investment control process for the investment life cycle results in a seven-step process for prioritizing security investments.

• Identify the baseline.
• Identify prioritization requirements.
• Conduct enterprise-level prioritization.
• Conduct system-level prioritization.
• Develop supporting materials.
• Implement an investment review board (IRB) and portfolio management.
• Submit any required budget approval paperwork.