All strategies should start with a vision set out either by a necessity or visionary inspiration. Whether the trigger behind the vision is based upon a new senior role, restructuring, repositioning or survival the vision needs to be qualified through the drivers, goals, objectives and any opposing aspects such as issues, constraints or concerns. A vision needs balance and cross examination before it moves to any further formality. A cyber security strategy is no different however it has one further aspect to challenge it and that is the threat which is faced. That threat needs to be broken down into its many parts and actors to fully understand the magnitude, diversity and expertise behind it. A threat assessment needs to cover enough to meet the size and scale of the vision and is also there to make sure that the drivers and goals set out the right means to mitigate and manage the threat in the future, as that will generally unknown until some event or evidence appears to define it.
To compliment the threat assessment it is also necessary to conduct more general business assessments of capability, architecture and operations to build an up to date view of what, where and how the organisation is functioning. The larger the organisation the bigger the assessment view will be and the level of detail is questionable as that will depend upon resources and budget available. The business assessment should be in proportion to the size and scale of the strategy and vision. There are also a number of general standards and practices in an organisation that either have produced or must produce assessments to meet legal or regulatory requirements and these should be a starting point.