Our organization focuses on both the Business-To-Business (B2B) and Business-To-Consumer (B2C) market segments. When you look at the international IOS standards which we support AND the additional standards promoted by FOCUS, you are confronted by quite a long list of significant and relevant requirements. Yet, where should we dig in? Plus, what should be our order of priorities? Here's an approach that might work for you.
The place to get started, and build practice capabilities is in the areas of risk identification, assessment and management. Working as a team, the firm's management needs to take the lead to make a list of all top risks, noting a description of the risk, the potential business impact and the likelihood of an occurrence. This process can be started very simply and enhanced over time. But, you need to get started and reviewed on a regular monthly basis. A business that gets this done is head and shoulders above one that takes no action! A business which assigns staff to oversee each risk is moving in the right direction.
So, with a listing of your company's prioritized risks, you will begin the risk mitigation effort starting with the highest risks first.
Of all the risks that a C+H company faces, one that stands above most other risks are those threats associated with the firm's cybersecurity. If your team has not addressed this one, then you need to reassess your list of prioritized risks, again. Take care to get this one dealt with comprehensively and professionally.