Skip to main content

PRM-06: Business Process Definition

PRM 7 — High Identify

Mechanisms exist to define business processes with consideration for cybersecurity and data protection that determines: (1) The resulting risk to organizational operations, assets, individuals and other organizations; and (2) Information protection needs arising from the defined business processes and revises the processes as necessary, until an achievable set of protection needs is obtained.

Control Question: Does the organization define business processes with consideration for cybersecurity and data protection that determines: (1) The resulting risk to organizational operations, assets, individuals and other organizations; and (2) Information protection needs arising from the defined business processes and revises the processes as necessary, until an achievable set of protection needs is obtained?

General (22)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC1.3 CC3.1 CC3.1-POF10 CC3.1-POF11 CC3.1-POF12 CC3.1-POF13 CC3.1-POF14 CC3.1-POF15 CC3.1-POF16 CC3.1-POF7 CC3.1-POF8 CC3.1-POF9 CC3.4 CC4.1 CC5.1 CC5.2 P6.7-POF1 PI1.1 PI1.1-POF1 PI1.3-POF1 PI1.3-POF2 PI1.3-POF3 PI1.3-POF4 PI1.3-POF5 PI1.4-POF1 PI1.4-POF2 PI1.4-POF3 PI1.4-POF4 PI1.5-POF1 PI1.5-POF2 PI1.5-POF3 PI1.5-POF4
CIS CSC 8.1 15.7
CIS CSC 8.1 IG3 15.7
COBIT 2019 APO01.10 APO08.01 BAI02.01
COSO 2017 Principle 3 Principle 6 Principle 9 Principle 10 Principle 11 Principle 16
CSA IoT SCF 2 LGL-01 LGL-02 LGL-03 LGL-04 LGL-05 LGL-06 LGL-07 LGL-08
ISO/SAE 21434 2021 RC-05-10 RQ-06-01 RQ-06-11 RQ-06-12
ISO 22301 2019 6.2.1 6.2.2
ISO 27701 2025 4.1 4.2 4.2(a) 4.2(b) 4.2(c) 6.1.1
ISO 31010 2009 4.3.1 4.3.2
ISO 42001 2023 4.1 4.2 7.4
NIST AI 100-1 (AI RMF) 1.0 MAP 1.0 MAP 1.1 MAP 1.4 MAP 2.1
NIST Privacy Framework 1.0 ID.IM-P5 CT.PO-P1 CT.DM-P9 CT.DM-P10
NIST 800-53 R4 PM-11
NIST 800-53 R5 (source) PM-11
NIST 800-53 R5 (NOC) (source) PM-11
NIST 800-160 3.4 3.4.1 3.4.2
NIST 800-161 R1 PM-11
NIST 800-161 R1 Level 1 PM-11
NIST 800-161 R1 Level 2 PM-11
NIST 800-161 R1 Level 3 PM-11
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) PRM-06
US (7)
Framework Mapping Values
US CERT RMM 1.2 ADM:SG2.SP1 COMM:SG1.SP2 COMM:SG3.SP1 EC:SG4.SP1 EF:SG1.SP3 OPD:SG1.SP1 PM:SG3.SP2 PM:SG3.SP4 PM:SG3.SP5 RRD:SG3.SP1 SC:SG1.SP1 SC:SG3.SP1 TM:SG5.SP1
US CMS MARS-E 2.0 PM-11
US FCA CRM 609.935(e)
US HIPAA Administrative Simplification 2013 (source) 164.306(b)(2)(i)
US HIPAA Security Rule / NIST SP 800-66 R2 (source) 164.306(b)(2)(i)
US NISPOM 2020 8-303
US - CO Colorado Privacy Act 6-1-1308(1)(c)(I) 6-1-1308(1)(c)(II)
EMEA (5)
Framework Mapping Values
EMEA EU EBA GL/2019/04 3.5(51) 3.6.1(64) 3.6.1(65) 3.6.2(68)
EMEA EU DORA 8.1
EMEA EU NIS2 Annex 6.2.2(a)
EMEA Israel CDMO 1.0 17.5 17.6
EMEA Qatar PDPPL 11.4 11.5 11.6
APAC (5)
Framework Mapping Values
APAC Japan ISMAP 4.4.3 4.4.3.1 4.4.4 4.4.4.1
APAC New Zealand HISF 2022 HSUP27
APAC New Zealand HISF Suppliers 2023 HSUP27
APAC New Zealand NZISM 3.6 12.1.32.C.01 12.1.32.C.02 12.1.32.C.03
APAC Singapore MAS TRM 2021 5.5.1 5.5.2
Americas (1)
Framework Mapping Values
Americas Canada OSFI B-13 1.2.1 2.1 2.3 2.4.1 2.4.3 2.8

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to define business processes with consideration for cybersecurity and data protection that determines: (1) The resulting risk to organizational operations, assets, individuals and other organizations; and (2) Information protection needs arising from the defined business processes and revises the processes as necessary, until an achievable set of protection needs is obtained.

Level 1 — Performed Informally

Project & Resource Management (PRM) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Program/project management is decentralized.
  • IT personnel work with data/process owners to help ensure secure practices are implemented throughout the System Development Lifecycle (SDLC) for all high-value projects.
Level 2 — Planned & Tracked

Project & Resource Management (PRM) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Program/project management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for Project Management (PM).
  • The PM function facilitates the implementation of cybersecurity and data protection-related resource planning controls across the System Development Lifecycle (SDLC) for all projects.
  • The responsibility for enforcing cybersecurity and data protection control implementation is assigned to business / process owners and asset custodians.
Level 3 — Well Defined

Project & Resource Management (PRM) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization's business strategy to determine prioritized and authoritative guidance for program/project management practices.
  • The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the enterprise with regards to program/project management.
  • The CISO, or similar function, leverages a capability maturity model to define and identify targeted capability maturity levels for each of the functions that make up the cybersecurity and data protection program.
  • A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data for program/project management.
  • A steering committee is formally established to provide executive oversight of the cybersecurity and data protection program, including program/project management.
  • A Project Management Office (PMO), or project management function, enables the centralized-implementation of cybersecurity and data protection-related resource planning controls across the System Development Lifecycle (SDLC) for all projects.
  • The PMO determines the identification and allocation of resources for cybersecurity and data protection requirements within business process planning for projects and other initiatives.
  • Project Management (PM) is centrally-managed across the enterprise to implement cybersecurity and data protection controls as part of the project management lifecycle, with the responsibility for enforcing cybersecurity and data protection control implementation assigned to business / process owners and asset custodians.
  • Subordinate staff and stakeholders are educated on the capability maturity expectations and those targets are used to task individual contributor work activities in an effort to achieve the targeted maturity levels.
Level 4 — Quantitatively Controlled

Project & Resource Management (PRM) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
  • Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
  • Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
  • Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
  • Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
  • Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to define business processes with consideration for cybersecurity and data protection that determines: (1) The resulting risk to organizational operations, assets, individuals and other organizations; and (2) Information protection needs arising from the defined business processes and revises the processes as necessary, until an achievable set of protection needs is obtained.

Assessment Objectives

  1. PRM-06_A01 organizational mission and business processes are defined with consideration for cybersecurity / data privacy.
  2. PRM-06_A02 organizational mission and business processes are defined with consideration for the resulting risk to organizational operations, organizational assets, individuals, other organizations and the Nation.
  3. PRM-06_A03 the frequency at which to review and revise the mission and business processes is defined.
  4. PRM-06_A04 information protection needs arising from the defined mission and business processes are determined.
  5. PRM-06_A05 Personal Data (PD) processing needs arising from the defined mission and business processes are determined.
  6. PRM-06_A06 the mission and business processes are reviewed and revised per an organization-defined frequency.

Evidence Requirements

E-PRM-03 Secure Development Lifecycle (SDLC)

Documented evidence of a secure development lifecycle that the organization utilizes for new initiatives or significant changes to existing initiatives to ensure cybersecurity & data privacy principles are identified and implemented by default.

Resource Management

Technology Recommendations

Micro/Small

  • Defined business processes
  • Product / project management
  • Defined technical requirements
  • Defined business requirements

Small

  • Defined business processes
  • Product / project management
  • Defined technical requirements
  • Defined business requirements

Medium

  • Defined business processes
  • Product / project management
  • Defined technical requirements
  • Defined business requirements
  • System Development Lifecycle (SDLC) governance / oversight

Large

  • Defined business processes
  • Product / project management
  • Defined technical requirements
  • Defined business requirements
  • System Development Lifecycle (SDLC) governance / oversight

Enterprise

  • Defined business processes
  • Product / project management
  • Defined technical requirements
  • Defined business requirements
  • System Development Lifecycle (SDLC) governance / oversight

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free