Phase 2: Do

This page describes the implementation phase (Do) of KTH’s information security work according to the Plan–Do–Check–Act (PDCA) model. In this phase, decided security controls and established working methods are implemented in the organisation.

The implementation phase assumes that KTH has, in the planning phase, defined information security objectives, identified and assessed organisational risks, decided on relevant security controls (Statement of Applicability, SoA), established a communication plan, implemented an information classification process, and allocated the necessary resources. These prerequisites ensure that the measures introduced are well balanced and aligned with organisational needs.

The purpose of the implementation phase is to apply decided security controls and to carry out information classification as the basis for appropriate protection of KTH’s information. The work is carried out by information risk owners in collaboration with KTH IT and other IT service providers, with support from research infrastructures, HR, physical security, and the CISO function. The management team follows up the work at an overall level, while users contribute by handling information in accordance with established rules and procedures.

The expected outcome of the implementation phase is that KTH has introduced the decided information security measures and established and started using a functioning information classification process. These measures and processes are subsequently followed up in the Check phase.

My employment

Support and service

Education

Research

Organisation and regulations

Phase 2: Do

Contact