- The SCRMS is a free resource for designing and implementing GRC practices centered on cybersecurity and data protection controls.
- Controls are the central nexus. Policies, standards, procedures, metrics, threats, and risks all map to controls.
- MCR (Minimum Compliance Requirements) vs DSR (Discretionary Security Requirements) helps categorize must have vs nice to have.
- The SCRMS defines 9 principles following the Plan, Do, Check & Act (PDCA) cycle.
- Being secure, compliant, and resilient are three distinct but interdependent outcomes.
What Is The SCRMS?
The Security, Compliance & Resilience Management System (SCRMS) is a free resource to help organizations design and implement their Governance, Risk & Compliance (GRC) practices to center around applicable cybersecurity and data protection controls. The premise of the ICM is that controls are central to cybersecurity and data privacy operations, as well as the overall business rhythm of an organization. This is supported by the Secure, Compliant & Resilient Risk Management Model (SCR-RMM), that describes the central nature of controls, where not just policies and standards map to controls, but procedures, metrics, threats and risks, as well. The ICM model takes a different approach from the traditional definition of GRC, since ICM is controls-centric, where controls are viewed as the nexus, or central pivoting point, for an organization’s cybersecurity and privacy operations.
OCEG defines GRC as, “GRC is the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity,” while Gartner jointly defines GRC/IRM as, "a set of practices and processes supported by a risk-aware culture and enabling technologies, that improves decision making and performance through an integrated view of how well an organization manages its unique set of risks."
ComplianceForge and Secure Controls Framework (SCF), the developers of the ICM model, define ICM as, “a holistic, technology-agnostic approach to cybersecurity and data protection controls to identify, implement and manage secure and compliant practices, covering an organization’s people, processes, technology and data, regardless of how or where data is stored, processed and/or transmitted.”
Compliant vs Secure
Unlike traditional GRC, the SCRMS specifically focuses on clarifying the difference between compliant versus secure, a distinction necessary for coherent risk management.
Minimum Compliance Requirements (MCR)
MCR represent the minimum bar required by external obligations such as laws, regulations, and contracts. These are non-negotiable. Not implementing them creates legal or contractual exposure.
- Externally influenced (laws, regs, contracts)
- "Must have" requirements (e.g., non-discretionary)
- Fact-finding, not risk assessment
- Forms compliance baseline
Discretionary Security Requirements (DSR)
DSR are selected based on the organization's own risk appetite and judgment. These go beyond the minimum and represent best-practice enhancements driven by internal risk management.
- Internally influenced (risk-based decisions)
- "Nice to have" (e.g., risk-informed choices, discretionary)
- Based on threat landscape and asset sensitivity
- Elevates posture beyond compliance floor
Secure and compliant operations exist when both MCR and DSR are implemented and properly governed. MCR establishes the foundational floor, while DSR is where real security improvements happen.
Addresses Tactical, Operational & Strategic Nature
SCRMS is designed to proactively address the strategic, operational and tactical nature of operating an organization’s cybersecurity and privacy program at the control level. ICM is designed to address both internal controls, as well as the broader concept of Supply Chain Risk Management (SCRM).
Secure, Compliant & Resilient
These three terms represent distinct but interdependent outcomes that organizations should strive for.
Secure
An entity can reasonably claim it is secure if it has implemented and operational defenses focused on Confidentiality, Integrity, Availability, and Safety (CIAS). Security level is dynamic, based on implemented defensive capabilities and applicable risks and threats.
Compliant
An entity can reasonably claim it is compliant if it can demonstrate conformity with applicable laws, regulations, and other obligations. The scope of compliance includes both external and internal requirements.
Resilient
An entity can reasonably claim it is resilient if it has prepared for and has the ability to adapt to changing conditions, where it can withstand or recover rapidly from disruption, including deliberate attacks, accidents, or naturally occurring threats.
9 SCRMS Principles
The SCRMS provides nine principles that follow the Plan, Do, Check & Act (PDCA) cycle.
PDCA Approach To GRC
The PDCA approach enables continuous evaluation of risks, threats, and performance trends so leadership can minimize risk by modifying how people, processes, and technology work together. The Secure Controls Framework (SCF) can be an excellent starting point for a control set if your organization lacks a comprehensive set of cybersecurity and privacy controls.
Plan
The overall GRC process beings with planning. This planning will define the policies, standards and controls for the organization. It will also directly influence the tools and services that an organization purchases, since technology purchases should address needs that are defined by policies and standards.
Do
Arguably, this is the most important section for cybersecurity and privacy practitioners. Controls are the “security glue” that make processes, applications, systems and services secure. Procedures (also referred to as control activities) are the processes how the controls are actually implemented and performed.
Check
In simple terms, this is situational awareness. Situational awareness is only achieved through reporting through metrics and reviewing the results of audits/assessments.
Act
This is essentially risk management, which is an encompassing area that deals with addressing two main concepts (1) real deficiencies that currently exist and (2) possible threats to the organization.
The SCRMS is freely available from the Secure Controls Framework website. ComplianceForge provides pre-built documentation (SCRP) that operationalizes the SCRMS principles with editable policies, standards, and procedures.
What is Governance, Risk & Compliance (GRC)?
Cybersecurity Governance, Risk, & Compliance (GRC) is an integrated approach organizations use to align cybersecurity and data privacy requirements with business objectives.
Which comes first? Governance, Risk or Compliance? This has been a hotly-debated topic since GRC was first coined over two (2) decades ago. However, there is a logical order to GRC processes that must be understood to avoid siloes and an improperly scoped security program. First, it is necessary to level-set on the terminology of what GRC functions do:
- Structures the organization’s controls to align with business goals and applicable statutory, regulatory, contractual and other obligations. Develops necessary policies and standards to ensure the proper implementation of controls.
- Risk Management. Identifies, quantifies and manages risk to information and technology assets, based on the organization’s operating model.
- Oversight of control implementation to ensure the organization’s applicable statutory, regulatory, contractual and other obligations are adequately met. Conducts control validation testing and audits/assessments.
Compliance > Governance > Risk Management
When establishing GRC practices, what is described below is the precedence of how (1) Compliance influences (2) Governance, which influences (3) Risk management.
The genesis of GRC is to first identify applicable statutory, regulatory and contractual obligations that the organization must adhere to, as well as internal business requirements (e.g., Board of Director directives). This is a compliance function that identifies statutory, regulatory and contractual obligations. It is a due diligence exercise to identify what the organization is reasonably required to comply with from a cybersecurity & data privacy perspective. This process involves interfacing with various Lines of Business (LOB) to understand how the organization operates, including geographic considerations. Generally, Compliance needs to work with the legal department, contracts management, physical security and other teams to gain a comprehensive understanding of the organizational compliance needs.
Governance Has Two (2) Key Functions:
- Develop policies and standards to meet those compliance obligations (defined by applicable control objectives); and
- Assign ownership of those controls to the applicable stakeholders involved in the affected business processes. This process often requires a documented Responsibility, Accountability, Supportive, Consulted and Informed (RASCI) chart to ensure the organizational model supports effective implementation and oversight of the assigned controls.
From a trickle-down perspective, while Risk Management logically follows both Compliance and Governance functions in establishing a GRC program, Risk Management is crucial for the organization to maintain situational awareness and remain both secure and compliant. Risk Management serves as the primary "canary in the coal mine" to identify instances of noncompliance that lead to the improper management of risks and exposure of the organization to threats; since ongoing risk assessments generally occur more frequently than internal/external audits that Compliance may oversee.