Ensuring compliance with policies and procedures requires a Plan, Do, Check & Act (PDCA) approach to cybersecurity governance:
- Establish Context - Establishing context is both a due diligence and due care element of a cybersecurity program, since context changes with time. Considerations include: mission/vision/strategy; statutory, regulatory and contractual requirements; fiscal constraints; organizational structure; applicable geographic-specific requirements; and internal and external stakeholder expectations.
- Identify Applicable Controls - A tailored set of cybersecurity and data protection controls must exist for a Security, Compliance & Resilience Management System (SCRMS) implementation. This control set must be tailored to the organization’s unique requirements, combining Minimum Compliance Requirements (MCR) and Discretionary Security Requirements (DSR). This blend of “must have” and “nice to have” establishes the organization’s tailored control set.
- Define Maturity Expectations - The organization must define maturity expectations for its cybersecurity and data protection controls. From the SCRMS perspective, maturity expectations define entity-specific “what right looks like” for control implementation and ongoing operation. These maturity-based criteria apply across People, Processes, Technologies, Data and Facilities (PPTDF) and directly support the organization’s security, compliance and resilience goals.
- Publish Governance Documentation - Governance documentation is the written foundation of a cybersecurity program. This includes policies, standards, procedures, guidelines and plans. Without published documentation, controls cannot be consistently applied, audited, or enforced. The SCF provides a direct mapping between controls and the governance documentation required to support them.
- Assign Stakeholder Accountability - Every control must have an owner. Accountability structures ensure that cybersecurity responsibilities are clearly assigned to specific roles across the organization, not just the security team. This includes executives (risk ownership), managers (policy enforcement) and operational staff (procedure execution). Undefined accountability is one of the most common root causes of control failures.
- Prioritize Capabilities According To Risk - Not all controls carry equal risk weight. Organizations with finite resources must prioritize implementation based on risk exposure, compliance criticality and threat relevance. The SCRMS provides guidance for risk-based prioritization so that the most impactful controls are implemented first, ensuring early risk reduction even before a complete control set is in place.
- Maintain Situational Awareness - Situational awareness is achieved through continuous monitoring, metrics collection and periodic assessments. This principle covers logging, monitoring, alerting and audit programs. Without situational awareness, organizations cannot detect incidents, measure control effectiveness, or demonstrate compliance. The SCRMS aligns this principle directly to the Check phase of the PDCA cycle.
- Manage Risk - Risk management is the engine of the SCRMS Act phase. It encompasses: identifying and treating current deficiencies, assessing emerging threats and vulnerabilities, making risk acceptance decisions, tracking remediation and reporting risk status to stakeholders. The SCF’s risk management controls (GOV, RSK domains) provide the specific control requirements for building a functional risk management function.
- Evolve Processes - The SCRMS is a living system. Cybersecurity threats, business contexts and regulatory landscapes all change over time. Organizations must build continuous improvement into the SCRMS lifecycle by reviewing the program periodically, updating controls and governance documentation, reassessing risk and incorporating lessons learned from incidents and audits into the next planning cycle.
