Skip to main content

PRM-01: Cybersecurity & Data Protection Portfolio Management

PRM 8 — High Govern

Mechanisms exist to facilitate the implementation of cybersecurity and data protection-related resource planning controls that define a viable plan for achieving cybersecurity and data protection objectives.

Control Question: Does the organization facilitate the implementation of cybersecurity and data protection-related resource planning controls that define a viable plan for achieving cybersecurity and data protection objectives?

General (42)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC2.2 CC3.1 CC3.1-POF4 CC3.4 CC5.2
BSI Standard 200-1 8.2
COBIT 2019 EDM02.01 EDM02.02 EDM02.03 EDM02.04 EDM04.01 EDM04.02 EDM04.03 APO05.01 APO05.02 APO05.03 APO05.04 APO05.05
COSO 2017 Principle 6 Principle 9 Principle 11 Principle 14
GovRAMP Low PL-01
GovRAMP Low+ PL-01
GovRAMP Moderate PL-01
GovRAMP High PL-01
ISO/SAE 21434 2021 RQ-05-04 RQ-05-05.a RQ-05-05.b
ISO 22301 2019 8.3.4
ISO 27001 2022 (source) 5.1(e)
ISO 27002 2022 5.4 5.8
ISO 27017 2015 6.1.5
ISO 27701 2025 7.1
ISO 31010 2009 4.3.1 4.3.2
ISO 42001 2023 7.1 A.4.2 A.6.1
NAIC Insurance Data Security Model Law (MDL-668) 4.D(2)(b)
NIST AI 100-1 (AI RMF) 1.0 MANAGE 2.1 MANAGE 2.2
NIST 800-53 R4 PL-1
NIST 800-53 R4 (low) PL-1
NIST 800-53 R4 (moderate) PL-1
NIST 800-53 R4 (high) PL-1
NIST 800-53 R5 (source) PL-1
NIST 800-53B R5 (privacy) (source) PL-1
NIST 800-53B R5 (low) (source) PL-1
NIST 800-53B R5 (moderate) (source) PL-1
NIST 800-53B R5 (high) (source) PL-1
NIST 800-82 R3 LOW OT Overlay PL-1
NIST 800-82 R3 MODERATE OT Overlay PL-1
NIST 800-82 R3 HIGH OT Overlay PL-1
NIST 800-160 3.2 3.2.1 3.2.2 3.2.3 3.2.4 3.2.5 3.2.6 3.3 3.3.1 3.3.2
NIST 800-161 R1 PL-1
NIST 800-161 R1 C-SCRM Baseline PL-1
NIST 800-161 R1 Level 2 PL-1
NIST 800-171 R2 (source) NFO-PL-1
NIST 800-171 R3 (source) 03.16.01
NIST CSF 2.0 (source) GV.RM GV.RR-03
UL 2900-1 2017 11.1
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) PRM-01
SCF CORE ESP Level 1 Foundational PRM-01
SCF CORE ESP Level 2 Critical Infrastructure PRM-01
SCF CORE ESP Level 3 Advanced Threats PRM-01
US (19)
Framework Mapping Values
US CERT RMM 1.2 EF:SG3.SP3 EF:SG4.SP1 FRM:SG1.SP2 FRM:SG2.SP1 FRM:SG2.SP2 FRM:SG2.SP3 FRM:SG4.SP2 FRM:SG5.SP1 FRM:SG5.SP2 FRM:SG5.SP3 GG2.GP3
US CMS MARS-E 2.0 PL-1
US DHS CISA TIC 3.0 3.PEP.EN.CMONI
US FCA CRM 609.935(d) 609.935(e)
US FedRAMP R4 PL-1
US FedRAMP R4 (low) PL-1
US FedRAMP R4 (moderate) PL-1
US FedRAMP R4 (high) PL-1
US FedRAMP R4 (LI-SaaS) PL-1
US FedRAMP R5 (source) PL-1
US FedRAMP R5 (low) (source) PL-1
US FedRAMP R5 (moderate) (source) PL-1
US FedRAMP R5 (high) (source) PL-1
US FedRAMP R5 (LI-SaaS) (source) PL-1
US IRS 1075 PL-1
US NISPOM 2020 8-101 8-311
US - TX DIR Control Standards 2.0 PL-1
US - TX TX-RAMP Level 1 PL-1
US - TX TX-RAMP Level 2 PL-1
EMEA (10)
Framework Mapping Values
EMEA EU EBA GL/2019/04 3.2.1(6) 3.6.1(61) 3.6.1(62) 3.6.1(64) 3.6.1(65) 3.6.1(66)
EMEA EU DORA 7(a) 7(b) 7(c) 7(d)
EMEA Austria Sec 14 Sec 15
EMEA Belgium 16
EMEA Germany Banking Supervisory Requirements for IT (BAIT) 2.3 7.4 7.5 8.3
EMEA Israel CDMO 1.0 17.5
EMEA Saudi Arabia CSCC-1 2019 1-1
EMEA Saudi Arabia ECC-1 2018 1-1-3 1-2-3
EMEA South Africa 19
EMEA Spain CCN-STIC 825 9
APAC (7)
Framework Mapping Values
APAC Australia ISM June 2024 ISM-0720 ISM-0732
APAC Australia Prudential Standard CPS230 25
APAC Australia Prudential Standard CPS234 13 15
APAC India SEBI CSCRF GV.RR.S4
APAC Japan ISMAP 4.1 6.1.5
APAC New Zealand NZISM 3.6 3.2.15.C.01
APAC Singapore MAS TRM 2021 5.1.1 5.1.2 5.1.3 5.1.4
Americas (3)
Framework Mapping Values
Americas Canada CSAG 1.1 6.22
Americas Canada OSFI B-13 1.2.1
Americas Canada ITSP-10-171 03.16.01

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to facilitate the implementation of cybersecurity and data protection-related resource planning controls that define a viable plan for achieving cybersecurity and data protection objectives.

Level 1 — Performed Informally

Project & Resource Management (PRM) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Program/project management is decentralized.
  • IT personnel work with data/process owners to help ensure secure practices are implemented throughout the System Development Lifecycle (SDLC) for all high-value projects.
Level 2 — Planned & Tracked

Project & Resource Management (PRM) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Program/project management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for Project Management (PM).
  • The PM function facilitates the implementation of cybersecurity and data protection-related resource planning controls across the System Development Lifecycle (SDLC) for all projects.
  • The responsibility for enforcing cybersecurity and data protection control implementation is assigned to business / process owners and asset custodians.
  • The Chief Information Officer (CIO), or similar function, analyzes the organization's business strategy and prioritizes the objectives and resourcing of the security function, based on broader business requirements.
Level 3 — Well Defined

Project & Resource Management (PRM) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization's business strategy to determine prioritized and authoritative guidance for program/project management practices.
  • The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the enterprise with regards to program/project management.
  • The CISO, or similar function, leverages a capability maturity model to define and identify targeted capability maturity levels for each of the functions that make up the cybersecurity and data protection program.
  • A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data for program/project management.
  • A steering committee is formally established to provide executive oversight of the cybersecurity and data protection program, including program/project management.
  • A Project Management Office (PMO), or project management function, enables the centralized-implementation of cybersecurity and data protection-related resource planning controls across the System Development Lifecycle (SDLC) for all projects.
  • The PMO determines the identification and allocation of resources for cybersecurity and data protection requirements within business process planning for projects and other initiatives.
  • Project Management (PM) is centrally-managed across the enterprise to implement cybersecurity and data protection controls as part of the project management lifecycle, with the responsibility for enforcing cybersecurity and data protection control implementation assigned to business / process owners and asset custodians.
  • Subordinate staff and stakeholders are educated on the capability maturity expectations and those targets are used to task individual contributor work activities in an effort to achieve the targeted maturity levels.
Level 4 — Quantitatively Controlled

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to facilitate the implementation of cybersecurity and data protection-related resource planning controls that define a viable plan for achieving cybersecurity and data protection objectives.

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to facilitate the implementation of cybersecurity and data protection-related resource planning controls that define a viable plan for achieving cybersecurity and data protection objectives.

Assessment Objectives

  1. PRM-01_A01 the organization-defined official is designated to manage the development, documentation, and dissemination of the planning policy and procedures.
  2. PRM-01_A02 planning procedures facilitate the implementation of the planning policy and associated planning controls are developed and documented.
  3. PRM-01_A03 personnel or roles to whom the planning policy is to be disseminated is/are defined.
  4. PRM-01_A04 personnel or roles to whom the planning procedures are to be disseminated is/are defined.
  5. PRM-01_A05 one or more of the following organization-defined criteria is/are selected: mission/business process-level /system-level.
  6. PRM-01_A06 an official to manage the planning policy and procedures is defined.
  7. PRM-01_A07 the frequency with which the current planning policy is reviewed / updated is defined.
  8. PRM-01_A08 events that would require the current planning policy to be reviewed / updated are defined.
  9. PRM-01_A09 the frequency with which the current planning procedures are reviewed / updated is defined.
  10. PRM-01_A10 events that would require procedures to be reviewed / updated are defined.
  11. PRM-01_A11 a planning policy is developed and documented.
  12. PRM-01_A12 the planning policy is disseminated to organization-defined personnel or roles.
  13. PRM-01_A13 the planning procedures are disseminated to organization-defined personnel or roles.
  14. PRM-01_A14 the organization's planning policy addresses purpose.
  15. PRM-01_A15 the organization's planning policy addresses scope.
  16. PRM-01_A16 the organization's planning policy addresses roles.
  17. PRM-01_A17 the organization's planning policy addresses responsibilities.
  18. PRM-01_A18 the organization's planning policy addresses management commitment.
  19. PRM-01_A19 the organization's planning policy addresses coordination among organizational entities.
  20. PRM-01_A20 the organization's planning policy addresses compliance.
  21. PRM-01_A21 the organization's planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines.
  22. PRM-01_A22 the current planning policy is reviewed / updated organization-defined frequency.
  23. PRM-01_A23 the current planning policy is reviewed / updated following organization-defined events.
  24. PRM-01_A24 the current planning procedures are reviewed / updated organization-defined frequency.
  25. PRM-01_A25 the current planning procedures are reviewed / updated following organization-defined events.
  26. PRM-01_A26 Project & Resource Management (PRM) operations are conducted according to documented policies, standards, procedures and/or other organizational directives.
  27. PRM-01_A27 adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support Project & Resource Management (PRM) operations.
  28. PRM-01_A28 responsibility and authority for the performance of Project & Resource Management (PRM)-related activities are assigned to designated personnel.
  29. PRM-01_A29 personnel performing Project & Resource Management (PRM)-related activities have the skills and knowledge needed to perform their assigned duties.

Evidence Requirements

E-PRM-02 Portfolio Roadmap

Documented evidence of the organization's roadmap for implementing cybersecurity-related initiatives and technologies.

Resource Management

Technology Recommendations

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free