What is ICM?
ICM stands for Integrated Controls Management. The ICM is a “how to build a cybersecurity program” playbook. ICM is designed to proactively address the strategic, operational and tactical nature of operating an organization’s cybersecurity and privacy program at the control level. The ICM is designed to:
- Address both internal controls, as well as the broader concept of Supply Chain Risk Management (SCRM).
- Focus on the need to understand and clarify the difference between "compliant" versus "secure" since that is necessary to have coherent risk management discussions.
To assist in this process, ICM helps an organization categorize its applicable controls according to “must have” vs “nice to have” requirements:
- Minimum Compliance Requirements (MCR) are the absolute minimum requirements that must be addressed to comply with applicable laws, regulations and contracts.
- Discretionary Security Requirements (DSR) are tied to the organization’s risk appetite since DSR are “above and beyond” MCR, where the organization self-identifies additional cybersecurity and data protection controls to address voluntary industry practices or internal requirements, such as findings from internal audits or risk assessments.
The ICM emphasizes controls are the central pivot in any organization’s cybersecurity and data privacy program. Instead of viewing governance, risk management and compliance separately, ICM integrates controls with policies, standards, procedures, metrics, threats and risks, creating a unified, control-centric approach. The ICM model supports scalability, repeatability and continuous monitoring through a controls-first mindset, aligning with best practices like NIST, ISO and CMMC.
The ICM provides eight (8) steps to create and maintain a cybersecurity program:
- Establish Context;
- Define Applicable Controls;
- Assign Maturity-Based Criteria;
- Publish Policies, Standards & Procedures;
- Assign Stakeholder Accountability;
- Maintain Situational Awareness;
- Manage Risk; and
- Evolve Processes.