The diagnostics can be carried out using can use the “risk assessment” and the “security wheel” tools, described in previous chapters of this manual (any organ- isational review methodology can also be useful for this).

It is well known that this step should involve all concerned people and work teams within the organisation.

The improvement plan has to be realistic and appropriate to the profile and needs of the organisation. Here is a possible sequence of steps:

1 - Identify the organisation’s expectations and expected outcomes of the security improvement plan.

2 - Diagnose together, reach a consensus and share ideas about the cur- rent structure of security management (application of the “risk analysis” and “security wheel”): Indicate the progress, shortages and needs.

3 - Indicate and discuss the best practices to be implemented in tackling the shortages and needs revealed.

4 - Indicate the desirable and desired objectives of the improvement plan.

5 - Outline the activities required to reach those objectives and what can reasonably be expected for each activity (this will enable progress to- wards the objectives)

6 - Outline the necessary resources (financial, human, time, technical resources). Define the responsibilities and work schedule.

7 - Define what risks arise from achieving these objectives and outcomes.

8 - Define indicators for monitoring progress and final results.

9 - Share the plan with all the involved parties in order to get feedback, to improve it and to generate the approval necessary for its implementa- tion.

10 - Implement the plan and decide on time frames for progress moni- toring and for possible changes to the process.

The process: Implementing the improvement plan.

The process includes a series of meetings and interviews with people or teams working within the organisation or in contact with it (in this case, there must be previous agreement from the organisation, indicating the specific people and/or organisations with whom security can be discussed). The exchange can start with a general introductory meeting, which may be followed by more meetings. These meetings provide the space in which to define diagnostics and discuss the implementation of the improvement plan. Moreover, the meetings can deal with specific items or they can accompany the specific work of the organisation from a security and protection standpoint.