The purpose of this step is to conduct a risk analysis and develop a strategy on how the organization will address associated information risk with an appropriate level of due diligence.47
47 Due diligence is defined here as what a reasonable person would do under the same circumstances; use of reasonable but not necessarily exhaustive efforts; also called reasonable diligence. Diligence may be defined as the earnest and persistent application of effort esp. as required by law.