What Are the Steps of the Information Security Program Lifecycle?
There are no official steps in an Information Security Program Lifecycle, since it is subjective and based on both personal preferences and organizational resources.
To avoid reinventing the wheel, the Integrated Controls Management, a model that emphasizes that controls are the central pivot in cybersecurity and data privacy programs, provides eight (8) steps to create and maintain a cybersecurity program:
- Establish Context;
- Define Applicable Controls;
- Assign Maturity-Based Criteria;
- Publish Policies, Standards & Procedures;
- Assign Stakeholder Accountability;
- Maintain Situational Awareness;
- Manage Risk; and
- Evolve Processes.
The ICM is a “how to build a cybersecurity program” playbook. ICM is designed to proactively address the strategic, operational and tactical nature of operating an organization’s cybersecurity and privacy program at the control level. The ICM is designed to:
- Address both internal controls, as well as the broader concept of Supply Chain Risk Management (SCRM).
- Focus on the need to understand and clarify the difference between "compliant" versus "secure" since that is necessary to have coherent risk management discussions.