At the development stage, you should plan what policies are required and what they must contain. First, policies are drafted by the Information Security Working Group. Next, those policies are reviewed, commented on, and edited by the Information Security Committee. Once the editing has been finished, the policies move on further for formal approval by the Board of Directors.
At the adoption stage, your company needs to plan how best to adopt and implement those policies. Typically, the adoption stage includes the drafting of a few more documents that outline the information security program activities, procedures for gap assessment, communication plans of the proposed changes, and detailed development and implementation plans.
The information security program implementation stage consists of the execution of the plans that have been developed during the adoption stage. At the end of the implementation stage, documentation should be prepared to ensure that the controls and processes are continuously managed in compliance with the developed policies and their objectives.
At the management stage, you should ensure that your company manages and reinforces compliance, which includes a consistent review of information security program audits and the holding of information security committees.
At the assessment stage, policies should be consistently (at least annually) reviewed to ensure they are still relevant, and if they are not, updated accordingly.