How To Create A Cybersecurity Program?

How to create a cybersecurity program?

ComplianceForge Support ComplianceForge Support Cybersecurity Compliance FAQ
June 25th, 2025 2 minute read

Listen to article
Audio generated by DropInBlog's Blog Voice AI™ may have slight pronunciation nuances. Learn more

The process of creating a cybersecurity program starts with establishing context, since architecting a cybersecurity program is a systematic, top-down process that is grounded in the organization’s industry, risk appetite and strategic goals.

ComplianceForge How To GRC Playbook

The Integrated Controls Management (ICM) is a “how to build a cybersecurity program” playbook. ICM is designed to proactively address the strategic, operational and tactical nature of operating an organization’s cybersecurity and privacy program at the control level. The ICM is designed to:

  • Address both internal controls, as well as the broader concept of Supply Chain Risk Management (SCRM).
  • Focus on the need to understand and clarify the difference between "compliant" versus "secure" since that is necessary to have coherent risk management discussions.

To assist in this process, ICM helps an organization categorize its applicable controls according to “must have” vs “nice to have” requirements:

  • Minimum Compliance Requirements (MCR) are the absolute minimum requirements that must be addressed to comply with applicable laws, regulations and contracts.
  • Discretionary Security Requirements (DSR) are tied to the organization’s risk appetite since DSR are “above and beyond” MCR, where the organization self-identifies additional cybersecurity and data protection controls to address voluntary industry practices or internal requirements, such as findings from internal audits or risk assessments.

GRC Principles

The ICM provides 8 steps to create and maintain a cybersecurity program:

  1. Establish Context;
  2. Define Applicable Controls;
  3. Assign Maturity-Based Criteria;
  4. Publish Policies, Standards & Procedures;
  5. Assign Stakeholder Accountability;
  6. Maintain Situational Awareness;
  7. Manage Risk; and
  8. Evolve Processes.

 This structure ensures your cybersecurity program is not just a siloed checklist, but a dynamic risk-management ecosystem integrated with overarching corporate strategy.

« Back to Blog

Related Articles

How many controls are in NIST 800-53 R5?

How many controls are in NIST 800-53 R5?

1 minute read

July 18th, 2025

Can I Pass A Cybersecurity Audit With AI-Generated Documentation?

Can I pass an audit with AI generated documentation?

2 minute read

June 18th, 2025

What Is The Difference Between A Policy and Standard?

What Is The Difference Between Policies & Standards?

3 minute read

April 9th, 2025

NIST SP 800‑53 R5 Control Families

This release includes a total of 1,189 controls, organized into 20 families:

  1. Access Control
  2. Awareness & Training
  3. Audit & Accountability
  4. Assessment, Authorization & Monitoring
  5. Configuration Management
  6. Contingency Planning
  7. Identification & Authentication
  8. Incident Response
  9. Maintenance
  10. Media Protection
  11. Physical & Environmental Protection
  12. Planning
  13. Program Management
  14. Personnel Security
  15. Personally Identifiable Information (PII) Processing & Transparency
  16. Risk Assessment
  17. System & Services Acquisition
  18. System & Communications Protection
  19. System & Information Integrity
  20. Supply Chain Risk Management

This count includes deprecated controls that have been removed or folded into others. Some controls are not categorized under baselines—low, moderate, high, or privacy—per NIST SP 800‑53B.

ComplianceForge provides full 1:1 mapping of all 20 families and their controls in its CDPP documentation.

!