Traditional Security Management approach
Security Management lifecycle.
The traditional approach to security is very much like the waterfall approach in Software engineering. First you identify all the requirements, in this case through a systematic risk assessment. Then you design your security and decide which controls you are going to use to reduce the risk you identified. After an implementation phase, where you either create your security policy and/or implement your controls, you start testing. Although, in this case security is almost never really tested. What we do have is a security audit, but the traditional security audit really only tests whether the implementation is still in place. An audit does in general not try to test the effectiveness of your security.
An audit should also evaluate whether the current security needs to be updated and the security management life-cycle needs a new iteration. The audit will suggest an update of security, for instance, when a new information system has been implemented or when the security environment in which the organization operates has changed significantly. When that happens, most organizations will find out that they did not properly document the requirements phase and, hence, they will often need a full new risk assessment. Qua documentation, security management is still where software engineering was twenty years ago!
There are a few limited testing tools available for information security. You can use penetration testing and vulnerability scanning, but these tools really only cover a small part of information security related to basic systems security.