The first stage is a risk assessment; whose goal is to identify and quantity the risks to the organizational assets due to cyber-attacks and failure to comply with require regulations (e.g. GDPR).  The risk assessment consists of process, organization and technological inspection.  The result is a list or graded risks and prioritized proposed mitigation.