Quality, Expert-Derived Cybersecurity Documentation To Keep Organizations Secure, Compliant & Resilient - No AI Slop!
Secure Controls Framework
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Cart
Start Here
Products
Bundles
Updates
Reasons To Buy
Certification Options
Home
FAQ
What is ICM?

What is ICM?

Direct Answer

ICM stands for Integrated Controls Management, a model that emphasizes controls as the central pivot of any cybersecurity and data privacy program. ICM uses the Security, Compliance & Resilience Management System (SCRMS) as its implementation framework.

It uses an Integrated Controls Management model. The SCRMS is a “how to build a cybersecurity program” playbook. SCRMS is designed to proactively address the strategic, operational and tactical nature of operating an organization’s cybersecurity and privacy program at the control level. The SCRMS is designed to:

  • Address both internal controls, as well as the broader concept of Supply Chain Risk Management (SCRM).
  • Focus on the need to understand and clarify the difference between "compliant" versus "secure" since that is necessary to have coherent risk management discussions.

To assist in this process, SCRMS helps an organization categorize its applicable controls according to “must have” vs “nice to have” requirements:

  • Minimum Compliance Requirements (MCR) are the absolute minimum requirements that must be addressed to comply with applicable laws, regulations and contracts.
  • Discretionary Security Requirements (DSR) are tied to the organization’s risk appetite since DSR are “above and beyond” MCR, where the organization self-identifies additional cybersecurity and data protection controls to address voluntary industry practices or internal requirements, such as findings from internal audits or risk assessments.

The SCRMS emphasizes controls are the central pivot in any organization’s cybersecurity and data privacy program. Instead of viewing governance, risk management and compliance separately, SCRMS integrates controls with policies, standards, procedures, metrics, threats and risks, creating a unified, control-centric approach. The SCRMS model supports scalability, repeatability and continuous monitoring through a controls-first mindset, aligning with best practices like NIST, ISO and CMMC.

The SCRMS provides 9 steps to create and maintain a cybersecurity program:

  • Establish Context;
  • Identify Applicable Controls;
  • Define Maturity Expectations;
  • Publish Governance Documentation;
  • Assign Stakeholder Accountability;
  • Prioritize Capabilities According To Risk;
  • Maintain Situational Awareness;
  • Manage Risk; and
  • Evolve Processes.
Keep Exploring

Relevant ComplianceForge Resources

References

Authoritative Sources