The first step is to investigate the current situation of the organization's information security management and security from the aspects of asset classification, daily operation and maintenance, management mechanism and system configuration. Through training, the relevant personnel of the organization can fully understand the basic knowledge of information security management.

The second step is risk assessment: Asset value, threat factors and vulnerability analysis of organizational information assets are carried out to assess the information security risk of the organization, and evaluation reports are issued, and appropriate measures and methods are selected to achieve the purpose of risk management.

The third step is management planning: according to the organization's information security risk strategy, formulate corresponding information security overall planning, management planning, technical planning, etc., to form a complete information security management system;