The process of creating a cybersecurity program starts with establishing context, since architecting a cybersecurity program is a systematic, top-down process that is grounded in the organization’s industry, risk appetite and strategic goals.

ComplianceForge How To GRC Playbook

The Integrated Controls Management (ICM) is a “how to build a cybersecurity program” playbook. ICM is designed to proactively address the strategic, operational and tactical nature of operating an organization’s cybersecurity and privacy program at the control level. The ICM is designed to:

• Address both internal controls, as well as the broader concept of Supply Chain Risk Management (SCRM).
• Focus on the need to understand and clarify the difference between "compliant" versus "secure" since that is necessary to have coherent risk management discussions.

To assist in this process, ICM helps an organization categorize its applicable controls according to “must have” vs “nice to have” requirements:

• Minimum Compliance Requirements (MCR) are the absolute minimum requirements that must be addressed to comply with applicable laws, regulations and contracts.
• Discretionary Security Requirements (DSR) are tied to the organization’s risk appetite since DSR are “above and beyond” MCR, where the organization self-identifies additional cybersecurity and data protection controls to address voluntary industry practices or internal requirements, such as findings from internal audits or risk assessments.

GRC Principles

The ICM provides 8 steps to create and maintain a cybersecurity program:

1. Establish Context;
2. Define Applicable Controls;
3. Assign Maturity-Based Criteria;
4. Publish Policies, Standards & Procedures;
5. Assign Stakeholder Accountability;
6. Maintain Situational Awareness;
7. Manage Risk; and
8. Evolve Processes.

 This structure ensures your cybersecurity program is not just a siloed checklist, but a dynamic risk-management ecosystem integrated with overarching corporate strategy.