Watch this video on YouTube
Which approach should an information security manager take first to ensure effective implementation of controls following a risk assessment?