Perform a comprehensive risk assessment. Before implementing or going live with any system that handles sensitive information, it is crucial to evaluate the potential risks associated with the system's operation. Understanding the risks allows the company to take appropriate steps to mitigate them, ensuring that the system is secure and compliant with relevant standards and regulations.

• Choosing a compliance framework does not precede the identification and assessment of risks; it's more about how to manage and measure those risks after they have been identified.
• Penetration testing is an important practice, but it should be done after the risks have been identified and assessed, so appropriate penetration tests can then be scoped and carried out.
• While training staff is important, it's not the first action before launching a system; risks need to be assessed beforehand to inform any potential training requirements.