When we are involved in the complete project we will always follow internally the same principle "Keep It Simple Stupid" and take "Baby-Steps". We will adapt to the project management model of your company, but we will follow the general process described in the picture.
In each project around cryptography or cryptographic tooling, we will probably start with something already present. We will analyse and document the AS-IS processes, tooling and people. This is done using interviews with key people within your company. We have a clear picture now to perform the maturity and gap-analysis.
According to your company's business model, we will use an industry standard model and adapt it to your business needs. This will define the maturity you have for Certificate Management, Identity & Access Management, Strong Authentication and Cryptographic development processes. Using the maturity model, we shall define the minimal maturity target according to your companies strategy. Using the minimal maturity target we can define the missing processes and tooling.
Using the "Baby-Step" model we will start the change management process. First introduction of tooling shall be a minimal viable product (MVP) together with the basic processes around it. This is done in a transparent and documented way together with management, development and operations.
Afterwards we reassess the new AS-IS situation and if necessary start a new cycle.