Managers and owners should ensure information security requirements are met, with frequent reviews and remedial actions. Organizations should record and send the eventual review to independent reviewers. Corrective steps should be timely and reviewed at the next review if unfinished.