This four-year plan assumes you are in a hypothetical state, starting with zero security controls in place. It assumes your goal is to fulfill the NIST CSF v1.1 framework, with an eventual goal of achieving ISO 27001:2013 compliance. To get you there, it starts you with the CIS CSC 20v7 controls.
This work is free to use for any purpose and is licensed under the Creative Commons Attribution-NoDerivatives 4.0 International License.
This is very much a work in progress, and may contain inaccuracies.
Current version is DRAFT v0.3
For feedback, support or questions, please email 4yearmap //at// allanalford //dot// com.